Critical Controls in Action

By Alex MacLachlan October 11, 2016 compliance, incident-response

The story of the tortoise and the hare is relevant in building any cybersecurity program. When faced with the challenges that doing business online in our highly connected world presents, it may quickly seem like an arms race when it comes to cybersecurity. A race where every day there is a new way to conduct business online and ten ways it can be potentially exploited to steal a company’s data, personal identities or money. As organizations build cybersecurity programs they are able to open their eyes to a much larger threat landscape than what may have originally caused them to build a program in the first place. Despite new technology being purchased and implemented to help protect an organization, best efforts may still lead to the inevitable breach, which always seems to just lurk around the corner, it is indeed only a matter of time. There are no shortages of technical solutions to purchase, consultants to provide advice, or even free online resources. But, implementing anything and everything you can in a frantic rush to secure a business is often met with frustration, high

Despite new technology being purchased and implemented to help protect an organization, best efforts may still lead to the inevitable breach, which always seems to just lurk around the corner, it is indeed only a matter of time. There are no shortages of technical solutions to purchase, consultants to provide advice, or even free online resources. But, implementing anything and everything you can in a frantic rush to secure a business is often met with frustration, high costs and ultimate failure. Taking a slow and steady pace with a rational and logical approach to building a program can pay big dividends.

All too often organizations fail to fully operationalize their cyber security investments and many implementation projects only get half-baked into an organization before resources are focused on other tasks or new projects. This leaves companies susceptible to attacks, staff over tasked and ineffective with time, and money wasted, but the industry is changing and corporate leadership is taking notice by realizing that these types of organizational impacts should be prevented, and as such, are asking their experts to move on to other jobs or other companies if they fail to fully realize organizational goals through operational controls. Not only does technology need to be properly employed to effectively protect an organization but efficiencies must also be realized by operational teams leveraging the systems, otherwise it will be impossible to get investment benefits in that specific technology. What this means is that when, as a security practitioner, you have advocated for needed technology to protect a company, gone through the pain and suffering of convincing leadership, getting the funds allocated and actually purchasing the technology then that is when the real work begins, not ends.

Not only does technology need to be properly employed to effectively protect an organization but efficiencies must also be realized by operational teams leveraging the systems, otherwise it will be impossible to get investment benefits in that specific technology. What this means is that when, as a security practitioner, you have advocated for needed technology to protect a company, gone through the pain and suffering of convincing leadership, getting the funds allocated and actually purchasing the technology then that is when the real work begins, not ends.

As you bring new technology into an organization to prevent cyber disasters you need to be thinking about how that system is going to be operationalized and take any opportunities you can to automate tasks, integrate with other pre-existing systems and to build processes that alleviate skilled staff from performing repetitive administrative types of tasks. Regardless of the technology that is being

Regardless of the technology that is being implemented, there should be some kind of expected results and regular performance indicators to ensure that systems and staff are consistently performing, alerts are being generated when adjustments are needed or when intervention is required. Once properly tuned automation is in place, actionable results should be provided by the system and proactive steps should be taken by staff to identify, protect, detect, respond to threats. Additionally, once a continuous improvement process is implemented with reporting should you then consider the technology operationalized.

Once operationalized you can’t just trust the system, and just because some technology tells you that there is a potential issue does not mean you know what to do about it. The actions staff need to take in order to properly respond to a virus opposed to a denial of service attack are dramatically different and therefore need to be well thought out in order to ensure an organization can effectively respond and recover from those types of events.

Do you reimage? Do you unplug the server? What information is needed during an investigation? Do you need to contact the legal department? These types of questions and many more like them get asked over and over again during an incident and even the smallest detail left out could mean the security team may have missed finding the smoking gun. To make matters even more complex, depending on the effected system, required remediation actions may need to take different paths depending on if a system contains Personal Health Information (PHI) opposed to a system that processes credit card transactions (PCI).

Building out a master system that helps direct a proper incident response plan is invaluable no matter what technology an organization is using to protect themselves from cybercrime. A master system that helps guide analysts in the collection of evidence, specific attributes required to be collected and necessary communication requirements not only help ensure proper process are followed but that any regulatory requirements are immediately fulfilled without question.

The Center for Internet Security (CIS) Critical Security Controls, which are core to many standards including the National Institute of Standards and Technology (NIST) Cybersecurity Framework clearly includes the requirement for implementing incident response infrastructure to help no only plan incident actions but also define roles and communication requirements. Although you cannot prescribe every possible action to every condition or incident a clear playbook for as many varieties of incidents you can build will pay huge dividends when an incident occurs and the fog of war and chaos sets in.

All too often I find organizations that complain they don’t get enough budget for cybersecurity, they don’t have enough people to perform the mission and have far too many gaps on the network to provide any real protection for the company they are working for. There are many cases where this is true, but upon a deeper look many of these complaints are self-inflicted by incomplete technology implementations and a lack of operationalizing systems in order to perform effective and complete incident response management.

Security teams must look at the types of events that they expect, perform table top exercises against those expected events and build out master playbook systems that can help guide analysts to perform the required actions discovered during those exercises when the real events occur.

Click the button below to schedule your one-on-one demo of the D3 Incident Management Platform.

Alex MacLachlan

Alex MacLachlan

Alex is the Director of Marketing at D3. He oversees D3's marketing, communications, and digital programs. He enjoys fishing, "checking the analytics", playing golf and watching hockey - in that order.


Comments

Add a comment:

email

username

url

your comment

Your comment will be revised by the site if needed.